- Authorized ARP
- DHCP snooping
- IP source guard
- Dynamic ARP inspection
- Downloadable ACL (dACL)
- AAA
- CoPP
- MPP
- PSP
- Crypto ACL
- VTI
- IPsec
- PKI
- NTP
- Multicast
- Context-based access control (CBAC)
- Zone-based firewall (ZBF)
- IP source route
- IP source track
- Router IP traffic export (RITE)
- ACL
- Dynamic ACL
- Reflexive ACL
- Unicast RPF
- TCP intercept
- Encrypted traffic analytics
- Flexible packet matching
- C3PL
- Design
- IPv6
Authorized ARP
- explicit check whether the host is reachable or not
- disables dynamic ARP; entries – static or DHCP snooping
- periodic dispatch of ARP requests
; static entry has more priority over DHCP
(config)# arp <IP> <MAC> arpa <intf>
; sends probes every 30s by default
(config-if)# arp authorized
; 4h by default
(config-if)# arp timeout <sec>
; sec = [1,10], num = [1,60]; finer control for probing; sends probe every sec, removes entry after num lost, not after timeout
(config-if)# arp probe interval <sec> count <num>
(dhcp-config)# update arp
DHCP snooping
- ports
- trusted
- towards DHCP server
- not checked
- no entries learnt for DB
- untrusted:
- default
- drops DHCP Offer, Ack
- drops DHCP Release, Decline if content does not match snooping DB
- → errdisable on DHCP rate limit violation
- entry is added to DB after receiving DHCP Ack
- trusted
- stores DHCP binding: MAC + IP, lease time
- broadcast DHCP is forwarded only to trusted ports
(config)# ip dhcp snooping
; if several commands issued, merges lists
(config)# ip dhcp snooping vlan <VLAN> [<VLAN_RANGE_END>]
; static entry in DHCP snooping DB
(config)# ip dhcp snooping binding <MAC> vlan <N> <IP> interface <intf>
; enables Option 82: MAC switch, port ID, on default
(config)# ip dhcp snooping information option
; logs dropped packets via NetFlow
(config)# ip dhcp snooping vlan <RANGE> smartlog
; verify that source MAC = DHCP client HW ID on untrusted interface, on default
(config)# ip dhcp snooping verify mac-address
(config-if)# ip dhcp snooping trust
; no limit by default, on untrusted
(config-if)# ip dhcp snooping limit rate <pps>
# show ip dhcp snooping
IP source guard
- checks against DHCP Snooping DB
- only DHCP traffic is permitted if no entry is found
- source IP address must match address received via DHCP; done with ACL autogeneration and applying it to interface, not visible
- source MAC must match DB entry; done with port-security, not visible
- depends on DHCP snooping (IP) and port-security (MAC)
- inbound check only
- not compatible with PVLAN
; static entry for IP source guard
(config)# ip source binding <MAC> vlan <VLAN> <IP> interface <intf>
; port-security enables MAC verification, port-security must be enabled separately, otherwise, all MACs are permitted
(config-if)# ip verify source [potr-security]
# show ip verify source [interface <intf>]
# show ip source binding
Dynamic ARP inspection
- uses DHCP Snooping DB
- verifies MAC+IP within ARP request and reply; if verification fails – drop
- by default ports are untrusted
- inspection filter – static ARP filtering without DHCP Snooping
(config)# ip arp inspection vlan <range>
; extra checks
; *mac: match between Ethernet and ARP reply
; ip: sensible addresses (not bcast, mcast, 0.0.0.0)
(config)# ip arp inspection validate src-mac|dst-mac|ip
; no implicit deny at the end! DAI feature, not ACL
(config)# arp access-list <ACL>
(config-arp-acl)# permit ip host <IP> mac host <MAC>
; ACL is checked first, then DB; if static, DB is not checked at all
(config)# ip arp inspection filter <ACL> vlan <RANGE> [static]
; on links towards other switched
(config-if)# ip arp inspection trust
; 15 default
(config-if)# ip arp inspection limit rate <pps>
# show ip arp inspection
Downloadable ACL (dACL)
- per-user, no multi-user support
- requires IP device tracking (IPDT)
- downloaded via RADIUS after 802.1x reports success, not saved in config
- added at the end of port ACL (PACL)
- removing dACL:
- session is over
- authentication failed
- link-down
- IPDT requires delay to avoid conflict with ARP DAD after DHCP
- enterprise policy manager (EPM) – module in IOS
- ACE contains any as a source that is later replaced with host IP
; ARP + DHCP snooping + unicast ARP probe every 30s
(config)# ip device tracking [probe delay <sec>]
(config)# radius-server vsa send authentication
(config)# aaa authorization network <GROUP> group radius
; WebAuth and dACL authZ logs
(config)# epm logging
; default ACL
(config)# ip access-group <ACL> in
AAA
RADIUS
- attribute-value (AV): user/group parameters
- shell:priv-lvl=15 ≡ EXEC after authC
- client-server
- UDP 1813/1813 (1645/1646 – legacy)
- CoA – UDP 3799
- one-way authC
- authorization mode
- command: permission for every cmd
- config-commands: permission for config cmds
- configuration: permission to enter config mode
- exec: permission to enter EXEC, return privilege level
- network: network services (PPP, IPCP)
- reverse-access: reverse telnet ≡ connect to A + connect to B from A
- accounting mode
- system: record system events (e.g. reboot)
- exec: record user, entering EXEC
- commands: record user and issued cmd
- only password is encrypted
- combined authC + authZ
- attributes:
- 1: username
- 2: user password
- 4: NAS IP address, authenticator address
- 5: NAS port, authenticator port for which request is sent
- 6: service type
- 1 = login
- 2 = framed
- 3 = callback-login
- 4 = callback-framed
- 5 = outbound
- 6 = administrative
- 7 = NAS-prompt
- 8 = authC only
- 9 = callback-NAS-prompt
- 8: framed IP address, user- or RADIUS-supplied IP
- 25: class, user role (ASA VPN in ISE)
- 26: vendor specific
- 9 = Cisco ID
- 27: session timeout, IKEv2, tear down session regardless of SA lifetime
- 30: called station ID, authenticator MAC
- 31: calling station ID, supplicant MAC
- 32: NAS ID
- 44: accounting session ID
- 61: NAS port type
- 15 = Ethernet
- 18 = wireless
- 64: tunnel type, encapsulation (VLAN assignment)
- 65: tunnel medium type, physical medium (VLAN assignment)
- 69: tunnel password, symmetric PSK for IKEv2
- 81: tunnel private group ID, VLAN name/number (VLAN assignment)
- 88: framed pool, IPv4 pool for IKEv2, only name (pool must be defined locally)
client <port unautorized> authenticator Auth server
EAPoL start
----------------------------->
EAP-Request/Identity
<-----------------------------
EAP-Response/Identity RADUIS Access-Request
-----------------------------> ----------------------------->
EAP-Request RADIUS Access-Challenge
<----------------------------- <-----------------------------
EAP-Response RADIUS Access-Request
-----------------------------> ----------------------------->
EAP-Success RADIUS Access-Accept
<----------------------------- <-----------------------------
RADIUS Accouting start
----------------------------->
<port authorized>
EAPoL Logoff
----------------------------->
<port unauthorized>
RADIUS Accounting stop
----------------------------->
Disconnect-Request
<-----------------------------
CoA-Request
<-----------------------------
# show aaa attribute protocol radius
TACACS+
- TCP
- encrypts whole packets except header
- separate authC and authZ (e.g. per command authZ)
- supports legacy protocols
client Auth server
--+
START |
-----------------------------> |
REPLY (GETUSER) |
<----------------------------- |
CONTINUE |
-----------------------------> |
REPLY (GETPASS) | authentication
<----------------------------- |
CONTINUE |
-----------------------------> |
ACCEPT/REJECT (REPLY) |
<----------------------------- --+
--+
REQUEST |
-----------------------------> | authorization
RESPONSE |
<----------------------------- |
--+
IOS CLI
(config)# tacacs|radius server <NAME>
(config-server-radius)# address ipv4|ipv6 <IP>
(config-server-radius)# key <PASSWORD>
(config-server-radius)# automate-tester username <NAME> ignore-acct-port
; EAP-FAST with ISE, master key for receiving PAC
(config-server-radius)# pac key <PASS>
(config)# radius-server host <IP> [key <KEY>]
; permits vendor-specific attributes; on default (> IOS 15.0, IOS XE 3.5.0E)
(config)# radius-server vsa send
; n retries with sec timeout to reach server, then consider server dead
(config)# radius-server dead-criteria time <sec> tries <n>
; duration for server to be reachable in order to become active again
(config)# radius-server deadtime <mins>
(config)# aaa new-model
(config)# aaa group server radius|tacacs <NAME>
(config-sg-radius)# server <IP>|name <SRVNAME>
; methods: tacacs, radius, local, line; max 4 methods
(config)# aaa authentication login default|<LIST> <methods>
; methods: group, if-authenticated, none (≡ disable)
(config)# aaa authorization <mode> default|<LIST> <methods>
; EXEC only
(config)# aaa authorization commands <LVL> <LIST> <methods>
; authZ for config
(config)# aaa authorization config-commands
(config)# aaa accounting <mode> <LIST> start-stop|stop-only|none <methods>
; enable CoA
(config)# server radius dynamic-author
(config-locsvr-da-radius)# client <IP>
(config-locsvr-da-radius)# server-key <KEY>
(config-line)# login authentication default|<LIST>
(config-line)# authorization commands <LVL>|exec|reverse-access default|<LIST>
; connection – record info abount connection from access-server
(config-line)# accounting commands <lvl>|connection|exec <LIST>
# test aaa group <GROUP> <USER> <PASS>
# debug radius authentication
# debug aaa authentication
# debug aaa protocol local
LDAP
- TCP 389 – cleartext, TCP 636 – TLS
DIAMETER
- RFC 6733
- compatible with RADIUS
- application-level failover
- TLS, DTLS
- TCP, SCTP
- server-initiated messages
- dynamic peer discovery via DNS
- AVP – attribute-value pair (length is multiple of 4, padding)
AVP encoding
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| AVP code |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|V|M|P| Reserved| AVP length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Vendor ID |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Data |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
M: mandatory
V: Vendor ID present
P: =0
DIAMETER Header
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Version=0x01 | Message length (words/4) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|R|P|E|T| Rsvd | Command code |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Application ID |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Hop-by-Hop ID |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| End-to-End ID |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| AVP |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
R: 1 = request, 0 = answer
P: proxiable
E: error
T: potentially retransmitted
Codes:
- 257: Capabilities-Exchange
- 258: Re-Authentication
- 271: Accounting
- 274: Abort-Session-Request/Answer
- 275: Session-Termination
- 280: Device-Watchdog (≈ keepalive)
- 282: Disconnect-Peer
H2H/E2E ID: ≈ sequence numbers
EAP
EAP encoding
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code | Identifier | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | /
+-+-+-+-+-+-+-+-+ Data \
/ /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Code:
- 1 = Request
- 2 = Response
- 3 = Success
- 4 = Failure
identifier: for PPP, distinguish between replay and repeated; no use in IKEv2
Type
- 1 = identity
- 2 = notification
- 3 = NAK
- 4 = MD5 challenge
- 5 = OTP
- 6 = GTC
- 254 = expanded type
- 255 = experimental
CoPP
- control plane policing
- DoS protection
- IPv4 only
- requires CEF
- CPU ≡ virtual intf
- control plane host: for router (SSH, iBGP, IGP, SNMP)
- control plane transit: packets transiting CPU (ARP incomplete)
- control plane CEF exception: traffic that cannot be processed by CEF (eBGP, CDP, ARP, LDP, TTL=0)
- no support for MAC ACL
- mcast: first packet of the flow goes through CPU to create mcast state
- in-band mgmt only (OOB goes straight into CPU)
; hardware accelerated CoPP
(config)# mls qos
(config)# control-plane
(config-cp)# service-policy input <PMAP>
; host CoPP
(config-cp)# service-policy type port-filter input <PPMAP>
(config)# policy-map type port-filter <PPMAP>
(config-pmap)# class <CMAP>
(config-pmap-c)# drop
(config)# class-map type port-filter <CMAP>
(config-cmap)# match closed-ports
(config-cmap)# match [not] port tcp|udp <start> [<end>]
(config)# policy-map type queue-threshold <PMAP>
(config-pmap)# class <CMAP>
(config-pmap-c)# queue-limit <n>
(config)# class-map type queue-threshold <CMAP>
(config-cmap)# match protocol <PROTOCOL>
; any open port
(config-cmap)# match protocol host-protocols
# show tcam utilization
# show control-plane host open-ports
MPP
- management plane protection
- CEF required
- limits interfaces that can accept management traffic: (T)FTP, SSH, telnet, HTTP(S), SNMP
- non-management traffic is dropped
- auto-disables itself if all MPP interfaces are down
- not supported if there is a separate mgmt interface
(config)# control-plane host
(config-cp-host)# management-interface <intf> allow [<protocols>]
PSP
- protocol storm protection
- rate-limit for ARP packets (including snooping), DHCP, IGMP
- drops all traffic after violation for 30s on virtual port ≡ CPU
; off default
(config)# psp arp|dhcp|igmp pps <PPS>
; off default, shuts port down
(config)# err-disable detect cause psp
(config)# err-disable recovery interval <sec>
# show psp config
Crypto ACL
- outbound:
- permit: encapsulate into IPsec
- deny: routing
- direct parsing
- inbound:
- permit: must be encapsulated into IPsec, if not – drop
- deny: routing
- reverse parsing on ACE level
- one ACL per interface, in+out
- best practice
- do not use any: may disturb clear-text traffic
- crypto-map does not support IGP tunnelling because it does not create logical interface for IGP
ACL: permit ip host 1.1.1.1 host 2.2.2.2 → ACL on peer must be mirrored
(config)# crypto map <NAME> local-address <intf>
; key negotiation with IKEv1
(config)# crypto map <NAME> <seq> ipsec-isakmp
; ACL: match packet src&dst that are steered into IPsec
(config-crypto-map)# match ip address <ACL>
(config-crypto-map)# set peer <IP>
(config-crypto-map)# set transform-set <NAME>
; on physical interface
(config-if)# crypto map <NAME>
VTI
- IGP support
- tunnel only (in crypto ACL – permit ip any any)
- IPv4-IPv4 or IPv6-IPv6
- line status is based on Phase 2 negotiation status (ISAKMP keepalive)
- may be better than GRE: GRE is done on CPU, IPsec – in hardware
- always on
(config-if)# tunnel mode ipsec ipv4|ipv6
IPsec
- end-to-end
- 2 SA for IPsec (per subnet in ACL), 1 SA for IKE
- mode
- transport:
- for GRE over IPsec
- only if one of the crypto ACL endpoints – self (RFC 4301)
- fallback – tunnel mode
- tunnel: default
- transport:
- PMTUD is on by default
- after NAT on egress
- NAT-T: encapsulating AH/ESP into UDP 4500 because NAT cannot tranlate non-ICMP/UDP/TCP
- NAT pass-through: NAT based on SPI
(config)# crypto ipsec transform-set <NAME> <MODE>
; tunnel default
(cfg-crypto-tran)# mode transport|tunnel
(config)# crypto ipsec profile <IPSEC>
(ipsec-profile)# set transform-set <NAME>
; IKEv1 policies by default
(ipsec-profile)# set ikev2-profile <IKE>
; IKEv2 dVTI only
(ipsec-profile)# set mixed-mode
(config)# crypto ipsec security-association lifetime <sec>|<kilobytes>
; one UDP socket for different tunnels with same source interface
; not needed for P2P with different destinations
(config-if)# tunnel protection ipsec profile <PROFILE> shared
; copy – default
(config-if)# crypto ipsec df-bit set|copy|clear
; enabled by default, avoid reassembly on VPN headend
(config-if)# crypto ipsec fragmentation before-encryption
AH
- IP51
- authC, anti-replay, integrity
- includes IP header into calculation ⇒ incompatible with NAT
- no support on ASA
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Next header | Payload length| Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| SPI |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Sequence number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| ICV (variable length) | Padding (variable length) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
\ \
/ Payload data /
\ \
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
ESP
- IP50
- anti-replay: sliding window of 64 packets, sequence number
- CIA triad
- does not include IP header into calculation
- authC trailer is appended to packet
- version 3
- extended sequence number
- 64 bit instead of 32 bit (counter overflows for 10Mbps after in minutes)
- negotiated in SA
- not supported by IOS
- padding to packte size
- previously – 255 bytes
- not supported by IOS
- dummy packets with random gaps (IP59, encrypted)
- extended sequence number
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| SPI |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Sequence number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ --+
\ \ |
/ Payload data / |
\ \ | encrypted
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| Padding (variable length) | Pad length | Next header | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ --+
\ \
/ ICV /
\ \
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
PKI
; receive TP certificate
(config)# crypto pki authenticate <TP>
; request own certificate from TP
(config)# crypto pki enroll <TP>
; schedule for periodic CRL download
(config)# crypto pki crl download schedule time <day> <clock>
; download CRL at mins before expiry
(config)# crypto pki crl download schedule prepublish <mins>
; manual download
(config)# crypto pki crl download trustpoint <TP>
; for certificate-based identification
(config)# crypto pki certificate map <CERTMAP> <n>
; co ≡ contains
(ca-certificate-map)# subject-name co <DOMAIN>
IOS CLI RSA authentication
; otherwise keys are not used or key label is needed
(config)# ip domain-name <DOMAIN>
(config)# crypto key public-chain rsa
(config-pubkey-chain)# addressed-key <IP>
(config-pubkey-key)# key-string <HEX>
# show crypto key mypubkey rsa
IOS CLI CA
(config)# ip http server
(config)# crypto pki server <CA>
(cs-server)# issuer-name CN=<NAME>
(cs-server)# grant auto
(cs-server)# database url nvram:
(cs-server)# no shutdown
IOS CLI PKI trustpoint (including CA for hub-n-spoke)
(config)# crypto pki trustpoint <TP>
(ca-trustpoint)# rsakeypair <LABEL>
(ca-trustpoint)# enrollement url <URL>
(config)# crypto pki profile enrollment <PROFILE>
; EST instead of SCEP
(ca-profile-enroll)# method-est
(ca-profile-enroll)# enrollment credential <TP>
(ca-profile-enroll)# enrollment url <URL>
NTP
(config)# ntp max-associations <n>
; interface does not send NTP, disables NTP server (NTP client continues to work)
(config-if)# ntp disable
Multicast
- limit number of entries in mRIB (misconfig, DoS), SA in MSDP
- control-plane and data-plane protection
- PIM-SM + snooping
- manual DR via best path to RP
- disable SAP (legacy protocol to allocate mcast group)
- if no hardware switching available – ACL on ingress interface to drop mcast (CPU protection on backup PIM DR)
; limits entries in mRIB, on reaching threshold – warning
(config)# ip multicast [vrf <NAME>] route-limit <n> [<threshold>]
; filters Register on source of mcast (ACL src) and group (ACL dst) – extended ACL
; on RP, connected sources not filtered
(config)# ip pim accept-register list <ACL>
; filters Join/Prune for specified RP, ACL sets group G
; on every router, stops receiving Join/Prune for other RP
(config)# ip pim accept-rp <RP_ADDR>|auto-rp [<ACL>]
(config)# ip pim neighbor-filter <ACL>
; CPU protection from high rate / RP failover
(config)# ip pim register-rate-limit <pps>
; on mapping agent
(config)# ip pim rp-announce-filter rp-list <ACL> group-list <ACL1>
; limits number of IGMP groups in cache, if both configured, lower is selected
(config)# ip igmp limit <n>
(config-if)# ip igmp limit <n>
; list of permitted/prohibited groups
(config-if)# ip igmp access-group <ACL>
(config-if)# no ip sap listen
Context-based access control (CBAC)
(config)# ip inspect <NAME> <protocol>
; real-time log about FW operation
(config)# ip inspect audit-trail
; when half-open sessions reach high, drops old connections,
; accepting new ones unless half-open sessions reach low
(config)# ip inspect max-incomplete high|low <n>
; tracks frequency of half-open sessions instead of number
(config)# ip inspect one-minute high|low <frequency>
; in|out = traffic direction that creates temporary session records
(config-if)# ip inspect <NAME> in|out
# show ip inspect sessions
# show ip inspect interfaces
Zone-based firewall (ZBF)
; match-all default
(config)# class-map type inspect <CMAP>
(config)# policy-map type inspect <PMAP>
(config-pmap)# class type inspect <CMAP>
; pass – direct traffic, inspect – return traffic as well
(config-pmap-c)# inspect|pass
(config)# zone-security <ZNAME>
; Z1 → Z2, Z2 →x Z1
; self zone – traffic from/to device itself
(config)# zone-pair security <PAIR> source <Z1> destination <Z2>
(config-sec-zone-pair)# service-policy type inspect <PMAP>
(config-if)# zone-member security <ZNAME>
# show class-map type inspect
# show zone security
; active ZBF sessions
# show policy-map type inspect zone-pair sessions
# debug policy-firewall
IP source route
- sets next-hop in the packet itself (IP options) → IP spoofing
- loose = sets partial path
- strict = sets explicit path, only via directly connected
- list walk-through using counter
- process
- address from IP option → IP destination
- egress interface IP address → IP source
- counter in IP options – incr(4)
- egress interface IP address → IP options (~ record route)
- IP destination is replaced as long as pointer in options is within boundary
- copied on fragmentation
(config)# no ip source-route
(config-if)# no ip unreachables
IP source track
; dst IP – attacked host
(config)# ip source-track <dst IP>
; 0 default ≡ no syslog, syslog-reminder about source track
(config)# ip source-track syslog-interval <mins>
# show ip source-track
Router IP traffic export (RITE)
- SPAN alternative on router
ACL
- if fragment falls under permit entry – pass, if under deny – look further by default
- Turbo ACL – ASIC-level ACL optimization, not all ACEs supported
- if non-existent ACL or prefix-list is applied ≡ permit all
- blocks to-box traffic on IOS
- does not block to-box traffic on ASA
- fragments – matches non-initial fragments only, cannot contain L4 information
- established – match on ACK or RST
- log – CPU intensive, creates syslog once per 5 minutes per flow
; Turbo ACL
(config)# access-list compiled
; creates syslog every n packets per flow
(config)# ip access-list log-update threshold <n>
; only the first packet within ms interval triggers syslog regardless of number of ACE
(config)# ip access-list logging interval <ms>
; process-switching, creates list of packets that were denied by ACL
(config)# ip accounting access-violations
# show ip accounting access-violations
Dynamic ACL
- adds ACE on external event (telnet required)
- CPU load on entry creation
- entry timeout for ACE
; command is executed on user login (does not work for SSH)
(config)# username <NAME> autocommand <LINE>
; for all users
(config-line)# autocommand <LINE>
; after access-enable inserts source IP of connection instead of any, timeout = ∞ by default
(config-ext-nacl)# dynamic <DACL> timeout <mins> permit ip any host <IP>
; insert src IP into DACL for host that opened Telnet
; timeout – idle time, if not specified, value from ACL is used
# access-enable [host] [timeout <min>]
Reflexive ACL
- named extended ACL only
- no implicit deny all, always permit ACEs
- nested in extended ACL
- CPU intensive on temporary ACE creation (sockets: IP src+dst, protocol, port src+dst)
- temporary ACE cleanup
- timer
- on last packet of the session
- not compatible with protocols that open ports dynamically
; global timeout
(config)# ip reflexive-list timeout <sec>
; temporary ACE creation
(config)# ip access-list extended <OUTBOUND>
(config-ext-nacl)# permit <PROTOCOL> any any reflect <ACL>
; checks against temporary ACE
(config)# ip access-list extended <INBOUND>
(config-ext-nacl)# evaluate <ACL>
(config-if)# ip access-group <INBOUND> in
(config-if)# ip access-group <OUTBOUND> out
Unicast RPF
- types
- loose
- checks whether IP source is in RIB
- if IP source is reachable via Null0 – drop (source-based RTBH)
- strict
- checks that packet came from interface that is next-hop towards IP source
- loose
- CEF required
- ECMP paths are considered equal
; strict
(config-if)# ip verify unicast source reachable-via rx allow-default
; loose
(config-if)# ip verify unicast source reachable-via any
; if uRPF fails, check ACL: permit = pass, deny = drop
(config-if)# ip verify unicast source reachable-via rx|any <ACL>
TCP intercept
- protection from SYN flood
- modes
- intercept: proxy
- watch: closes half-open sessions after timeout using RST
(config)# ip tcp intercept mode intercept|watch
; 30s default
(config)# ip tcp intercept watch-timeout <sec>
(config)# ip tcp intercept list <ACL>
; 1100 default
(config)# ip tcp intercept max-incomplete high <n>
; 900 default
(config)# ip tcp intercept max-incomplete low <n>
Encrypted traffic analytics
- NetFlow analysis, stream statistics, telemetry (e.g. packets arrival time)
- malware scan
- weak ciphers for audit
- passive protection
- usually on access-layer
- platforms: C9k, ASR1k, ISR4k, CSR, ISR1k, C9800
Flexible packet matching
- byte-level matching on packet parts
(config)# load protocol <path>
(config)# class-map type access-control match-all <NAME>
(config-cmap)# match start <PROTOCOL> payload-start offset <OFFSET> size <n> eq <HEX>
(config)# policy-map type access-control <PMAP>
(config-if)# service-policy type access-control input <PMAP>
C3PL
- common classification policy language
- uses service templates for create interface config
- MAB and 802.1x at the same time ⇒ no DHCP timeout (delay not required)
- can direct MAB and 802.1x to different servers
- critical ACL: ACL if RADIUS is unreachable
- critical MAB: local MAC DB if RADIUS is unreachable
(config)# authentication display new-style|legacy
(config)# service-template <TEMPLATE>
(config)# class-map type control subscriber match-any <CMAP>
(config)# policy-map type control subscriber <PMAP>
(config-event-control-policymap)# event <type> match-all|match-first
(config-class-control-policymap)# <n> class <CMAP>|always do-all|do-until-failure|do-until-success
(config-action-control-policymap)# <m> <ACTION> <ARGS>
(config-if)# service-polcy type control subscriber <PMAP>
Design
- filtering on redistribution – white list
- AAA
- disable mrinfo, HTTP
- protection from TTL expiry
- filter low TTL
- ACL on edge
- CoPP
- breaks tracert
- filter address
- private
- self
- bogon
- CoPP for closed ports
- browsers can send NetBIOS-NS, LLMNR or mDNS along with common DNS – needs to be filtered
IPv6
SeND
- secure neighbour discovery
- CGA – cryptographically generated address
- uses RSA and prefix to generate interface ID
- messages are signed (RSA), public key included into message
- extra messages:
- CertificationPath Solicitation
- CertificationPath Answer
(config)# ipv6 nd inspection policy <POLICY>
; NDP, incorrect SeND
(config-nd-inspection)# drop-unsecure
RA guard
(config)# ipv6 nd raguard policy <POLICY>
(config-ra-guard)# device-role host|router
(config-ra-guard)# managed-config-flag on|off
; verify src RA
(config-ra-guard)# match ipv6 access-list <ACL>
; verify prefixes in RA
(config-ra-guard)# match ra prefix-list <PLIST>
ND inspection
(config)# ipv6 nd inspection policy <POLICY>
; compares MAC and link-local
(config-nd-inspection)# validate source-mac
; per-port
(config-nd-inspection)# limit address-count <n>
DHCPv6 guard
(config)# ipv6 dhcp guard policy <POLICY>
; client by default
(config-dhcp-guard)# device-role client|server
; address-based filtering of DHCP server
(config-dhcp-guard)# match server access-list <ACL>
; filter prefix within DHCP advertise
(config-dhcp-guard)# match reply prefix-list <PLIST>
; disables guard verification
(config-dhcp-guard)# trusted-port
(config)# vlan configuration <N>
(config-vlan-config)# ipv6 dhcp guard attach-policy <POLICY>
(config-if)# ipv6 dhcp guard attach-policy <POLICY> [vlan <LIST>]
IPv6 snooping
- filled by NDP, DHCP
- enables RA guard
- no support for etherchannel
- sends DHCP or DAD for src address that became glean
(config)# ipv6 snooping [logging]
; static entry in binding table
(config)# ipv6 neighbor binding <IPv6> interface <INTF> [<MAC>]
(config)# ipv6 neighbor tracking
(config)# ipv6 snooping policy <POLICY>
; limits protocols for glean as well as trigger prefixes
(config-ipv6-snooping)# protocol dhcp|ndp [prefix-list <PLIST>]
(config-ipv6-snooping)# destination-glean recovery|log-only [dhcp]
; src address
(config-ipv6-snooping)# data-glean recovery|log-only [ndp|dhcp]
; with DHCP and RA
(config-ipv6-snooping)# prefix-glean
# show ipv6 neighbors binding
IPv6 source guard
- if entry is not found, try to refresh it using DHCP/NDP
(config)# ipv6 source-guard policy <POLICY>
(config-sisf-sourceguard)# permit link-local
(config-sisf-sourceguard)# validate address
(config-sisf-sourceguard)# deny global-autoconf
; permit all traffic
(config-sisf-sourceguard)# trusted
# show ipv6 source-guard policy <POLICY>
IPv6 prefix guard
- prohibits using addresses from prefixes that are not on the link
- uses info from RA, DHCP-PD, static
- pushes PACL
(config)# ipv6 source-guard policy <POLICY>
; disablesource guard
(config-sisf-sourceguard)# no validate address
(config-sisf-sourceguard)# validate prefix
IPv6 destination guard
- drops traffic towards directly connected dst that is not in binding table
- protection against ND exhaustion
(config)# ipv6 destination-guard policy <POLICY>
; stressed drops traffic only when ND cache is being overflown
(config-destguard)# enforcement always|stressed
IPv6 DAD proxy
- no support for etherchannel
- intercepts NS, does not forward them further, replies by itself
- learns through NDP
- useful with PVLAN, because hosts do not see each other
(config-if)# ipv6 nd dad-proxy
ND mcast suppress
- drops mcast NS
- if there is info, replies to NS itself
- extension to DAD proxy
(config)# ipv6 nd suppress policy <POLICY>
; drop only mcast NS or drop both mcast&unicast NS
(config-nd-suppress)# mode mc-proxy|full-proxy